Securing Data Today
and in the Future
and in the Future
Ulf Mattsson CTO Protegrity
Ulf Mattsson
20 years with IBM Development & Global Services
Inventor of 22 patents – Encryption and Tokenization
Co-founder of Protegrity (Data Security)
Research member of the International Federation for
Information Processing (IFIP) WG 11.3 Data and Application
Security
Security
Member of
• Cloud Security Alliance (CSA)
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9 • Information Systems Security Association (ISSA)
Agenda
•
Trends in data breaches
•
Companies are reevaluating how they protect data
• Understand the flow of data
• Review different options for data protection
• More granular approaches to secure data
•
Cost efficiency and Scalability
•
Cost efficiency and Scalability
•
Compliance and “out of scope” aspects
•
Case study in data protection
•
Data protection in cloud and outsourced
environments
Best Source of Incident Data
“It is fascinating that the top threat events in both 2010 and 2011 are the same
and involve external agents hacking and installing malware to compromise the confidentiality and integrity of servers.”
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team
900+ breaches
900+ million compromised records:
Data Breaches – Mainly Online Data Records
%
Compromised Data Types - # Records
Bank account data Intellectual property Usernames, passwords Personal information Payment card data
Source: Data Breach Investigations Report, Verizon Business RISK team and USSS
0 20 40 60 80 100 120
Sensitive organizational data System information Classified information Medical records
Industry Groups Represented - # Breaches
Manufacturing Tech Services Government Financial Services Retail HospitalitySource: Data Breach Investigations Report, Verizon Business RISK team and USSS
0 10 20 30 40 50 Business Services Healthcare Media Transportation Manufacturing %
Breach Discovery Methods - # Breaches
Reported by employee Unusual system behavior Reported by customer/partner J
Notified by law enforcement Third party fraud detection
Source: Data Breach Investigations Report, Verizon Business RISK team and USSS
%
0 10 20 30 40 50
Third party monitoring service Brag or blackmail by perpetrator Internal fraud detection Internal security audit or scan
Threat Action Categories by Percent of Breaches
The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication
Attackers will always be a step ahead of the defenders
We're fighting highly organized, well-funded crime syndicates and nations
Move from detective to preventative controls needed:
Move from detective to preventative controls needed:
Several layers of security to address more significant areas of risks
Some Data is Extremely Sensitive
Be very careful with data that is extremely sensitive and
attracts powerful attackers
RSA Example - The implications are serious because RSA's technology underpins the security of some of the world's most closely guarded data
RSA makes small security devices that supply constantly changing numbers that are used as secondary passwords for accessing
corporate networks and email
If the attacker managed to steal the codes that determine which numbers appear on the tokens, that information could be used to perform mass infiltrations — if the attacker already has other
Some Data is Extremely Sensitive J
Be careful when allowing keys or seed material to be
escrowed
Ask if there really is a backdoor to the encryption system (RSA)
Audit the hosting company and validate the security of their environment.
Ask how the data is protected on disk, network and in memory.
APT (Advanced Persistent Threat) is not dead
It is increasing
It is increasing
Memory is sniffed (RAM scrapers)
More granular data security
It's important to use different encryption keys for different data
Give them only the information they really needed
Trust should not by the policy.
Do not trust administrators, database, network J
Insider Crime
Bank of America Gets Hit Twice
An employee theft of bank customer data
Names, addresses, social security numbers, driver’s license numbers, birth dates, email addresses, mother’s maiden names, PINs and account balances
Selling it to crooks
Used information to order new checks and money transfers
Consumer fears over lost data and ID crime is a major
Attacker Public Network S S L Private Network Encrypt Data on Public Networks (PCI DSS) Clear Text
Example of How the Problem is Occurring – PCI DSS
OS File System Database Storage System Application Encrypt Data At Rest (PCI DSS)
Clear Text Data Clear Text
Data Security Today is a Catch-22
We need to protect both data and the business processes
that rely on that data
Enterprises are currently on their own in deciding how to
Enterprises are currently on their own in deciding how to
apply emerging technologies for PCI data protection
• Data Tokenization - an evolving technology
Cost Effective PCI DSS
Correlation or event management systems Identity & access management systems Access governance systems Encryption for data in motion Anti-virus & anti-malware solution Encryption/Tokenization for data at rest Firewalls
WAF
Source: 2009 PCI DSS Compliance Survey, Ponemon Institute
0 10 20 30 40 50 60 70 80 90 ID & credentialing system
Database scanning and monitoring (DAM) Intrusion detection or prevention systems Data loss prevention systems (DLP) Endpoint encryption solution
Web application firewalls (WAF) WAF
DLP
DAM
%
What is Tokenization and what is the Benefit?
Tokenization
• Tokenization is process that replaces sensitive data in
systems with inert data called tokens which have no value to the thief.
• Tokens resemble the original data in data type and length
Benefit
• Greatly improved transparency to systems and processes that • Greatly improved transparency to systems and processes that
need to be protected
Result
• Reduced remediation
• Reduced need for key management • Reduce the points of attacks
Current, Planned Use of Enabling Technologies
47% 35% 39% 16% 10% 21% 30% 18% 1% 91% 5% 4% Access controlsDatabase activity monitoring
Database encryption
Backup / Archive encryption 39%
28% 29% 23% 7% 7% 13% 22% 7% 28% 21% 4%
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
Protecting the Data Flow - Example
PCI DSS - Ways to Render the PAN* Unreadable
Two-way cryptography with associated key management
processes
One-way cryptographic hash functions
Index tokens and pads
Truncation (or masking – xxxxxx xxxxxx 6781)
aVdSaH 1F4hJ 1D3a !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Hashing Strong Encryption Alpha -Intrusiveness
(to Applications and Databases)
!@#$%a^.,mhu7/////&*B()_+!@
Standard Encryption
Securing Data Fields – Impact of Different Methods
123456 777777 1234 123456 123456 1234 aVdSaH 1F4hJ 1D3a Alpha Numeric Partial Clear Text -I Original I Longer 666666 777777 8888 Tokenizing orFormatted Encryption Data Length Encoding Original Data
Positioning Different Protection Options
Evaluation Criteria Strong
Encryption
Formatted Encryption
Data Tokens
Security & Compliance Total Cost of Ownership
Use of Encoded Data
Data Security Method System Layer Hashing Formatted Encryption Strong Encryption Data Tokenization
Risk Management and PCI – Security Aspects
Different data security methods and algorithms
Policy enforcement implemented at different system layers
System Layer Application Database Column Database File Storage Device Best Worst
Data Security Method System Layer Hashing Formatted Encryption Strong Encryption Data Tokenization
Risk Management and PCI – Security Aspects
Integration at different system layers
Different data security methods and algorithms
Application Database Column Database File Storage Device Best Worst : N/A
Token Flexibility for Different Categories of Data
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date
E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preserved
input preserved
SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
Policy Masking
Credit Card 3872 3789 1620 3675 clear, encrypted, tokenized at rest
3872 37## #### ####
Presentation Mask: Expose 1st
Tokenization Use Case Example
A leading retail chain
• 1500 locations in the U.S. market
Simplify PCI Compliance
• 98% of Use Cases out of audit scope
• Ease of install (had 18 PCI initiatives at one time)
Tokenization solution was implemented in 2 weeks
Tokenization solution was implemented in 2 weeks
• Reduced PCI Audit from 7 months to 3 months • No 3rd Party code modifications
• Proved to be the best performance option • 700,000 transactions per days
• 50 million card holder data records
• Conversion took 90 minutes (plan was 30 days) • Next step – tokenization server at 1500 locations
Amazon Cloud & PCI DSS
Just because AWS is certified doesn't mean you are
• You still need to deploy a PCI compliant application/service and
anything on AWS is still within your assessment scope
PCI-DSS 2.0 doesn't address multi-tenancy concerns
You can store PAN data on S3, but it still needs to be
encrypted in accordance with PCI-DSS requirements
• Amazon doesn't do this for you
• You need to implement key management, rotation, logging, etc.
If you deploy a server instance in EC2 it still needs to be
assessed by your QSA (PCI auditor)
• Organization's assessment scope isn't necessarily reduced
Tokenization can reduce your handling of PAN data
Risks Associated with Cloud Computing
Uptime/business continuity Weakening of corporate network
security
Threat of data breach or loss Handing over sensitive data to a
third party
Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study
0 10 20 30 40 50 60 70 Inability to customize applications
Financial strength of the cloud computing provider
Uptime/business continuity
Security Check Point
User
“Must Pass Security Before Entering The Cloud”
123456 123456 1234 123456 123456 1234
Protected sensitive information Unprotected sensitive information:
123456 9999991234
Secured data
Data Tokenization – Reducing the Attack Surface
123456 123456 1234
123456 9999991234 123456 123456 1234
123456 9999991234 123456 9999991234
Applications & Databases : Data Token
Different Approaches for Tokenization
Traditional Tokenization
• Dynamic Model or Pre-Generated Model
• 5 tokens per second - 5000 tokenizations per second
Next Generation Tokenization
• Memory-tokenization
• 200,000 - 9,000,000+ tokenizations per second • 200,000 - 9,000,000+ tokenizations per second
• “The tokenization scheme offers excellent security, since it is
based on fully randomized tables.” *
• “This is a fully distributed tokenization approach with no need
for synchronization and there is no risk for collisions.“ *
Area Impact Database File Encryption Database Column Encryption Traditional Tokenization Memory Tokenization Scalability Availability Latency CPU Consumption
Evaluating Encryption & Tokenization Approaches
Encryption
Evaluation Criteria Tokenization
Security Data Flow Protection Compliance Scoping Key Management Data Collisions Separation of Duties
The actual protection of the data is not the challenge Centralized solutions are needed to managed
complex security requirements
• Based on Security Policies with Transparent Key
management
• Many methods to secure the data • Auditing, Monitoring and Reporting
Solutions that minimize the impact on business
Data Protection Challenges
Solutions that minimize the impact on business operations
• Highest level of performance and transparency
Rapid Deployment
Affordable with low TCO
Best Practices - Data Security Management
Database Protector File System Protector Policy Audit Log Secure Archive Application Protector Tokenization Server Enterprise Data Security Administrator : Enforcement pointAbout Protegrity
Proven enterprise data security software and innovation leader
• Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Growth driven by compliance and risk management
• PCI (Payment Card Industry)
• PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA
• State and Foreign Privacy Laws, Breach Notification Laws • State and Foreign Privacy Laws, Breach Notification Laws
• High Cost of Information Breach ($4.8m average cost), immeasurable costs of brand
damage , loss of customers
• Requirements to eliminate the threat of data breach and non-compliance
Cross-industry applicability
• Retail, Hospitality, Travel and Transportation • Financial Services, Insurance, Banking
• Healthcare
• Telecommunications, Media and Entertainment • Manufacturing and Government
Please contact me for more information
